Fighting the OSX/Flashback Hydra

The biggest Mac botnet ever encountered, the OSX/Flashback botnet, is being hit hard. On April 12th, Apple released a third Java update since the Flashback malicious code outbreak. This update includes a new tool called MRT (Malware Removal Tool) which allows Apple to quickly push malware removal code to their user base. The first mission of MRT: remove Flashback.

A lot of researchers and security companies have been interested in OSX/Flashback. Many have published observations and partial results, generating a lot of buzz. ESET has been actively investigating the OSX/Flashback botnet. ESET was one of the first companies to implement a sinkhole to monitor the botnet. We can confirm the magnitude of the infection spread reported by other companies: we have seen more than 491,793 unique IDs coming from over 749,113 unique IP addresses connecting to our sinkhole. We are actively collaborating with the security community, sharing the results of our reverse engineering efforts and sinkhole data.

The OSX/Flashback malware can infect computers by multiple means. In the last couple of months, we have seen it spread as a fake Adobe Flash player (hence its name) and through exploits. The bulk of the infections happened recently when a group of websites started distributing the malware through drive-by download, exploiting the CVE-2012-0507 vulnerability in Java.

The first stage component of OSX/Flashback is a dropper, its only functionality is to contact a command and control server, download additional components and run them. Some of the variants of the dropper we have seen would also load a library. When installed, the library will load with any application on the system. It hooks the system functions responsible for communication and is in a position to alter web pages and spy on users’ internet activity and behaviour. It is still unclear to us if this spying is used to display unsolicited advertisements in the browser of infected computers or to steal information.

When it comes to disclosing a realistic number of unique infected hosts, we strive to be as accurate and objective as possible. Defining a unique host is not trivial, even if OSX/Flashback uses hardware UUIDs. Our data indicates many UUIDs that connected to our sinkhole (a server we set up to capture incoming traffic from bot-infected machines trying to communicate with their command-and-control servers), came from a big range of IP addresses, indicating that there may be UUID duplicates. Virtual Machines or so-called Hack-intosh installations may explain this.

When browsing Hack-intosh forums, we found out that everyone who is using the fourth release candidate of a special distribution has the same hardware UUID (XXXXXXXX-C304-556B-A442-960AB835CB5D) and even discuss ways to arbitrarily modify it.

Oddly enough, we found this UUID connected to our sinkhole from 20 different IP addresses. This indicates that those who considered UUID to count the number of distinct infected hosts probably have underestimated the botnet size.

Flashback evolved a lot in the last few months. The authors moved fast and added obfuscation and fallback methods in case the main C&C server is taken down. The dropper now generates 5 domain names per day and tries to get an executable file from those websites. The latest variants of the dropper and the library encrypt its important strings with the Mac hardware UUID. This makes it difficult for researchers to analyze a variant reported by a customer if they don’t also have access to the UUID.

The fallback mechanism that Flashback uses when it is unable to contact its C&C servers is quite interesting. Each day, it will generate a new Twitter hashtag and search for any tweet containing that hashtag. A new C&C address can be provided to an infected system this way. Intego reported this last month, but the latest version uses new strings. Twitter has been notified of the new hashtags and are working on remediations to make sure the operator of the botnet cannot take back control of his botnet through Twitter.

To protect your Mac OS X computers we highly recommend applying the latest update from Apple. In addition, users can also download a (free) trial version of ESET Cybersecurity for Mac to scan their computer for infection and clean any threat that might be found on the system.

Thanks to Marc-Etienne Léveillé and Alexis Dorais-Joncas for their contribution to this research.

I ran the terminal commands specifed by f-secure / DrWeb and the "does not exist" message. Then I ran the Apple OSX Java update 2012-003 and it said I did have the Flashback virus. Not sure which to believe. I have also been running ESET Antivirus for months and that did not detect Flashback on my system.